[tor-commits] [donate/master] Revert "Use wildcard for Access-Control-Allow-Origin"

peterh at torproject.org peterh at torproject.org
Tue May 11 21:17:51 UTC 2021

commit 3df82c4eeb72db90348e40514b280d96accdc833
Author: Peter Haight <peterh at giantrabbit.com>
Date:   Wed Oct 21 11:46:12 2020 -0700

    Revert "Use wildcard for Access-Control-Allow-Origin"
    This reverts commit 9a7940ba9994789293b44c64632822cc849c918c.
    This didn't work because then we get this error in the browser:
    Access to fetch at
    'https://donate-api.torproject.org/setExpressCheckout' from origin
    'https://donate.torproject.org' has been blocked by CORS policy:
    Response to preflight request doesn't pass access control check: The
    value of the 'Access-Control-Allow-Origin' header in the response must
    not be the wildcard '*' when the request's credentials mode is
 src/AccessControlMiddleware.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/AccessControlMiddleware.php b/src/AccessControlMiddleware.php
index d5b7381d..d900fa63 100644
--- a/src/AccessControlMiddleware.php
+++ b/src/AccessControlMiddleware.php
@@ -4,7 +4,7 @@ namespace Tor;
 class AccessControlMiddleware {
   public function __invoke($request, $response, $next) {
-    $response = $response->withHeader('Access-Control-Allow-Origin', '*');
+    $response = $response->withHeader('Access-Control-Allow-Origin', $this->torSiteBaseUrl);
     $response = $response->withHeader('Access-Control-Allow-Credentials', 'true');
     $response = $response->withHeader('Access-Control-Allow-Headers', 'Content-Type');
     return $next($request, $response);

More information about the tor-commits mailing list